[DNSOP] dnsop@ietf.org
Vernon Schryver <vjs@rhyolite.com> Thu, 17 August 2017 21:11 UTC
Return-Path: <vjs@rhyolite.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E1E01321EF for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 14:11:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHVWhMV1-z1W for <dnsop@ietfa.amsl.com>; Thu, 17 Aug 2017 14:11:20 -0700 (PDT)
Received: from calcite.rhyolite.com (calcite-v6.rhyolite.com [IPv6:2001:470:4b:581::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B49F1321BF for <dnsop@ietf.org>; Thu, 17 Aug 2017 14:11:20 -0700 (PDT)
Received: from calcite.rhyolite.com (localhost [127.0.0.1]) by calcite.rhyolite.com (8.15.2/8.15.2) with ESMTPS id v7HLB3Ot078274 (CN=www.rhyolite.com version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <dnsop@ietf.org> env-from <vjs@rhyolite.com>; Thu, 17 Aug 2017 21:11:04 GMT
Received: (from vjs@localhost) by calcite.rhyolite.com (8.15.2/8.15.2/Submit) id v7HLB3kQ078273 for dnsop@ietf.org; Thu, 17 Aug 2017 21:11:03 GMT
Date: Thu, 17 Aug 2017 21:11:03 +0000
From: Vernon Schryver <vjs@rhyolite.com>
Message-Id: <201708172111.v7HLB3kQ078273@calcite.rhyolite.com>
To: dnsop@ietf.org
X-DCC-Rhyolite-Metrics: calcite.rhyolite.com; whitelist
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ljDl9_0bKuk2ObI_7kf1OQNVh90>
Subject: [DNSOP] dnsop@ietf.org
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 21:11:22 -0000
> From: Paul Vixie <paul@redbarn.org> > there will in my model be only one resolver, and while it may or may not > be trusted to tell the truth, it may or may not also be trusted to tell > a useful lie. that is, truth has value, and some lies also have value, > for example an RPZ answer of NXDOMAIN when the qname is a DGA. but right > now we have no authentication of the lies, while we do have it for the > truth (if DNSSEC is used). so, i am conflating two issues in my > stick-figure of the moment: authentication of lie source and content, > and, the ability of an end-user via resolv.conf or API to tell her local > applications what lie-source to believe, if any. I separate those issues into 1. authenticating (signing) AD=1 in responses from resolvers to stubs. This is needed wherever the resolver is not reached by "localhost" and in some cases even where "localhost" is used. Most stubs do not reach their resolvers via localhost and either trust unsigned AD bits or ignore them. Either case makes DNSSEC almost a sham. This needs protocol work or the routine use of TSIG on requests and something for key distribution or public keys with TSIG or something else, new or old. This is not an RPZ issue. 2. applications that demand truth getting it instead of RPZ lies from resolvers that do RPZ filtering. > i'm on a different trail entirely. we have to include the truth if it's > dnssec signed, since the client will know we're lying if we do > otherwise. ... How does a stub know that the resolver gave an RPZ lie via DNSSEC? RPZ lies don't include RRSIGs. Would the stub interate to get NS, A, AAAA, and RRSIG rrsets starting with the root and then either fail to get RRSIGs somewhere in the chain and stop with "oh, never mind", or check that signature chain against the rrset it got a long time ago from the resolver? The stub probably needs a cache for all of those rrsets, including caching the absense of RRSIG rrsets. It must pay attention to authority sections and the right rrsets in additional sections. It would need to resolve CNAME (and DNAME?) chains. And so forth for a lot of what makes a recursive resolver. On the other hand, a stub could not worry about DNSSEC and watch for the special RPZ SOA in the additional sections of RPZ lies, and when it sees one, ask again for truth. On the third hand, a stub working for an application that wants truth could always ask for truth instead of RPZ filtering. As I keep saying only debugging applications want both truth and lies, and they don't need both at once (and couldn't receive both through current APIs). They could make two requests of the stub, one for truth and one for lies. I think the second hand is much better that the first and the third is best. Not only do they not force stubs to become resolvers, they give truth to applications that want it even when DNSSEC is not involved (as it won't be if ever in almost all of com and net). Applications that want truth instead of RPZ lies don't care whether DNSSEC was involved; they just want the resolver's best shot at the truth. They might separately want to tell the stub to discard anything from the resolver that lacks a (signed) AD=1. Note that RPZ lies are distinguished by the following and only the 3rd is dispositive: - no RRSIG rrsets - AD=0 - that bogus additional section SOA Vernon Schryver vjs@rhyolite.com
- [DNSOP] dnsop@ietf.org Vernon Schryver